States Step Up Data Privacy and Security Regulation

State legislatures from California and New York have taken action to respond to rising privacy concerns by enacting legislation to protect consumers and their personal information, and the New Jersey legislature is actively working to pass similar legislation to enhance the privacy and security obligations applicable to personal information obtained from New Jersey consumers. This legislation typically requires businesses to inform residents of certain rights regarding the collection or sale of their personal information and to provide notice to residents if a security incident at the company involves their personal information. As deadlines quickly approach for the enforcement of these laws, it is important for businesses to take action now and revisit privacy, security, and storage practices, as well as the associated policies for maintaining appropriate data privacy and security throughout the organization.

The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, accords significant new privacy rights to consumers and imposes corresponding new requirements on businesses. In general, the CCPA mandates businesses to implement procedures to provide notice to consumers at or before the collection of personal information, to respond to consumers’ requests for the production or deletion of their collected information or to opt-out from its sale, and to create privacy policies detailing their processes for selling or distributing consumer data.

With respect to those compliance obligations, the California Attorney General issued proposed regulations on October 10, 2019, that are “intended to operationalize the CCPA” and purport to “provide clarity to assist in implementation” of the CCPA’s requirements, particularly with respect to notices and the handling of consumer requests regarding their data collected or maintained by the company. On the heels of these proposed regulations, Governor Gavin Newsom signed several amendments to the CCPA on October 11, 2019, which purport to provide more guidance by clarifying the definition of personal information, specifying the required notification to consumers in the event of a data breach, and providing a limited exception for HR information and business-to-business communications, but make no significant substantive changes to the basic requirements of the law. Ultimately, although requirements of the CCPA continue to evolve, compliance remains mandated by January 1, 2020.

In New York, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was signed by Governor Andrew Cuomo on July 25, 2019. The SHIELD Act broadens New York’s requirements for data breach notification and data security and, perhaps most significantly, reaches beyond the State’s borders and applies to all persons and entities that have private information of a New York resident – even if the company does not do business in New York. The Act’s modified and expanded breach-notification requirements, which became effective October 23, 2019, require notice to consumers when their private information has merely been accessed by an unauthorized person – even if no private information is actually acquired.

The SHIELD Act’s data security requirements, which take effect March 21, 2020, create an entirely new obligation for all companies that own data that includes the private information of even one single New York resident – requiring these companies to “implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.” Certain qualifying small businesses are given some leeway for compliance with these new requirements, but must still implement safeguards appropriate for the nature and scope of their respective small business activities.

Finally, the New Jersey Legislature continues its efforts to implement comprehensive data privacy and security regulations. For example, Assembly Bill 4902 (and the companion Senate Bill 2834) and Assembly Bill 4640 (and the companion Senate Bill 3153) will dramatically change the landscape of the State’s privacy and security regulation with a direct effect on both New Jersey businesses and New Jersey residents. Each of these bills would implement new requirements for businesses that collect or process personal information from a New Jersey resident, including providing customers a “complete description” of the personally identifiable information collected, identifying all third parties that the company may share the personal information with, and affording customers certain rights with regard to the personal information collected, including the right to opt out of the sale of their personal information. Failure to notify a customer of the disclosure of personally identifiable information or failure to allow a customer to opt out will constitute a violation of the law, and may subject the operator to significant penalties. Though these bills (and several other bills on related subjects) are still pending, the likelihood increases every day that new privacy and security requirements will be enacted. As a result, it is important for all businesses collecting or processing the personal information of New Jersey residents to revisit privacy and security compliance measures to adequately prepare for changing requirements.

In the wake of this new legislation and the ever-evolving privacy and security regimes that apply to daily operations, all businesses should review the scope of the personal information they collect and process, as well as their existing policies and practices to determine whether revised or additional procedures are needed to achieve compliance.